Cyber Attacks, Threats, and Vulnerabilities
North Korea Plotting 'Massive Cyber Attack' Alongside Missile Launch (IBTimes.co.uk) North Korea is planning to launch a massive cyber attack against its southern adversaries alongside a much-feared missile launch, according to reports from Seoul. The Reconnaissance General Bureau in Pyongyang, which employs thousands of skilled
How South Korea Traced Hacker To Pyongyang (InformationWeek) Apparent mistake exposed the March bank hacker's IP address, which investigators traced to a North Korean address.
The Tallinn manual (The Dong-A Ilbo) The South Korean government said North Korea's military intelligence agency masterminded the cyber attack that paralyzed the IT networks of broadcasters and financial companies on March 20. As for the Stalinist regime's missile launch, it said, "We will punish the origin of the attack, supporting and commanding forces more than 10 times what they does." Whether Seoul will respond to the cyber attack or not remains to be seen. Some people say, "Since a cyber attack is combat, South Korea needs to punish North Korea." Nevertheless, it is not easy to do so under the international laws
Malicious Spam Warns of War with North Korea (eSecurity Planet) The spam e-mails deliver the Cridex malware, which steals login credentials from infected PCs. ThreatTrack Security researchers recently came across a spam campaign with a simple message -- the subject line is "Fwd: Re: War with N. Korea," and the message reads, "Hi, bad news. War with N. Korea"
Years-long cyber attack on online gaming companies uncovered (Polygon) A Russian-based computer security company says it's uncovered an international cybercrime group that uses code stolen from online gaming companies to create software that has been used to spy on activists and steal aerospace secrets
'Gold Farmers' Hack Gaming Firms For Virtual Currency, Source Code -- And Digital Certificates (Dark Reading) Targeted attack campaign against online gaming firms demonstrates blurring lines between financially motivated cybercrime and cyberespionage actors and their techniques, tools
Winnti Cyberespionage Campaign Targets Gaming Companies (Threatpost) A cybercrime gang has been running roughshod over the gaming industry for years using malware signed with valid digital certificates to steal source code and valuable in-game currency for a number of popular online games
Data-Stealing Spyware Redpill Back, Targeting India (Threatpost) A form of spyware first seen in 2008 and known for siphoning away users' bank account credentials, emails, screenshots and various other bits of information has surfaced again – this time targeting computer users in India
Hide your kids, hide your BTC: Bitcoin-stealing malware emerges (Ars Technica) Click-bait to an exchange lookalike site drops malware to steal from accounts. In another example of the security mantra of "be careful what you click," at least one Bitcoin trader has been robbed in a forum "phishing" attack designed specifically to ride the hype around the digital currency. The attack attempts to use Java exploits or fake Adobe updates to install malware, and it's one of the first targeted attacks aimed at the burgeoning business of Bitcoin exchanges
Regions Bank cyber attack (KSDK) NewsChannel 5 received a tip Thursday that Regions Bank had been hit by a cyber attack. The bank confirmed this tip through their Twitter account, tweeting, "We are currently under cyber attack and our website and Online Banking are
Malaysian media sites targeted in cyber-attack (ABC Online) Cyber-attacks have taken several independent media outlets offline on the first day of Malaysia's election campaign. The websites for Radio Free Malaysia, Radio Free Sarawak and the news portal Sarawak Report have been brought down by a cyber attack
Wm. Jennings Bryan Dorn VA Medical Center Admits Security Breach (eSecurity Planet) The personal information of 7,405 patients may have been exposed. South Carolina's Wm. Jennings Bryan Dorn VA Medical Center recently sent letters to 7,405 patients warning them that an uprotected laptop was found to be missing on February 11, 2013. The laptop contained the veterans' personal information, including names, birthdates, weight, race, test results and partial Social Security numbers
When is a password not a password? When Excel sees "VelvetSweatshop" (Naked Security) Over the last few months, I've spent a significant proportion of my time researching the CVE-2012-0158 vulnerability…One of the issues in detecting CVE-2012-0158 samples is that the delivery mechanism can be RTF, Word or Excel files. Word and Excel files can be password-encrypted, meaning that it can be harder for an anti-virus scanning engine to see the malicious code. The problem the attackers have, of course, is that they not only have to trick users into clicking on the attachment with social engineering, but also need to dupe their potential victims into entering a password. With Excel, however, there is another method and that is to save the boobytrapped file as "Read Only". "Read Only" applies the same encryption method and uses a default password chosen by the Microsoft programmers: "VelvetSweatshop"
Malicious WordPress Plugin Discovered (eSecurity Planet) A freelance progammer apparently took the opportunity to inject malicious code into the Social Media Widget plugin without the maintainer's knowledge. Sucuri CTO Daniel Cid and COO Tony Perez recently discovered that the Social Media Widget plugin for WordPress was being used to inject spam into Web sites -- and with just under a million downloads, the plugin had the potential to impact a significant number of sites
Hackers could start abusing electric car chargers to cripple the grid, researcher says (CSO) If we don't start securing systems today, it will become a problem in 10 years, the researcher said. Hackers could use vulnerable charging stations to prevent the charging of electric vehicles in a certain area, or possibly even use the vulnerabilities to cripple parts of the electricity grid, a security researcher said during the Hack in the Box conference in Amsterdam on Thursday
Advanced Malware Takes Unique Steps to Hide Itself (InfoPackets) Researchers have discovered a new type of malware that uses several advanced strategies to prevent you from detecting it. Those strategies include tracking user mouse usage and hiding malicious files. The malware, which is being called Trojan.APT.BaneChant, was recently discovered by researchers at security firm FireEye. The malware reportedly spreads through an infected Microsoft Word document attached to emails
As Defenders Adapt, Offensive Techniques Continue to Evolve (Threatpost) The security teams that have to defend enterprise networks are faced with a broad and deep threat landscape populated with all manner of malware and targeted attacks. Those teams often have to react quickly to new threats, well before vendors respond with new technologies. By the look of things on the offensive side of the ball, much of which is on display at the Infiltrate conference here, things are not likely to get any easier for network defenders anytime soon
Social Engineering Skype Support team to hack any account instantly (Hacker News) You can install the industry's strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room, but how do you protect a company from the threat of social engineering attacks? For any of you that are involved in security awareness efforts, you know what I am talking about. It could happen tomorrow, it could happen today or it might already have happened
A beginner's guide to building botnets—with little assembly required (Ars Technica) For a few hundred dollars, you can get tools and 24/7 support for Internet crime. Have a plan to steal millions from banks and their customers but can't write a line of code? Want to get rich quick off advertising click fraud but "quick" doesn't include time to learn how to do it? No problem. Everything you need to start a life of cybercrime is just a few clicks (and many more dollars) away
The Truth About Spam (Dark Reading) New study shows one in three spam emails contains malware-ridden attachments, and one-fourth of all bots are in enterprise networks
Enisa cricitises ISPs' preparation against cyber-attacks (Telecompaper) EU cyber-security agency Enisa criticised ISPs in its analysis of a recent massive cyber-attack. ISPs are accused of failing to apply well-known security measures which have been available for over a decade. This error is as a key factor behind the
Security Patches, Mitigations, and Software Updates
Google Releases Google Chrome 26.0.1410.57 (US-CERT) Google has released Google Chrome 26.0.1410.57 for all Chrome OS devices to address a vulnerability. This vulnerability could allow an attacker to execute arbitrary code. US-CERT encourages users and administrators to review the Google Chrome Release blog entry and follow best-practice security policies to determine which updates should be applied
Microsoft tells all Windows 7 users to uninstall security patch, after some PCs fail to restart (Naked Security) Microsoft has advised all users of Windows 7 who installed a security update to uninstall it, after some customers found their computers would not restart or applications would not load
Microsoft amends security update after reports of system errors (CSO) The company has removed the update from the MS13-036 batch of patches. Microsoft has amended a security update containing a patch that reportedly caused errors in some third-party software. The update, number 2823324, was distributed on Tuesday as part of MS13-036, a batch of patches that fix three Windows vulnerabilities in a kernel-mode driver
Cyber Trends
Infonetics: Managed Security Services Market Topped $13 Billion in 2012 (eSecurity Planet) The research firm predicts that sales of cloud-based security services will surge over the next five years. According to Infonetics Research's latest Cloud and CPE Managed Security Services report, the global cloud and CPE managed security service market grew by 12 percent from 2011 to 2012, reaching $13 billion
BYOD Fuels NAC Comeback (eSecurity Planet) The BYOD boom is leading to a revival of network access control (NAC) technology, as more companies employ NAC to secure their networks. Network access control (NAC) is back. To get an idea of the NAC sales boom currently underway, Frost & Sullivan estimates that sales will grow by almost 14 percent a year for the next two years to
Why You Should Care Cybersecurity Lobbying Doubled (Mahsable) Lest you doubt we are entering the age of a cybersecurity industrial complex—and that such a system doesn't necessarily have the average Internet user in mind—take look at the numbers. According to a new study by the lobbying group Center for Responsive Politics, lobbying reports that referenced "cybersecurity" more than doubled last year. Mentions jumped from 990 in 2011 to 1,968 in 2012
South Africa a 'big target' for cyber crime (IT Web) Cyber crime poses the biggest risk to local business, with elements like mobile and cloud exacerbating the threat. If you think your data is safe, think again, says Andrew Kirkland, country manager of international security firm Trustwave. SA is a major target for data breaches and, while local businesses on the whole have certain measures in place, these are insufficient until companies understand and appreciate the value of their unique data
Unfazed By Bitcoin's Wild Swings And Mysterious Origins, Silicon Valley VCs Place Their Bets (TechCrunch) Bitcoin's record highs and the ensuring surge in hacking attempts and thefts may be grabbing headlines. However, beneath the chaos, Silicon Valley's best-known venture firms are finally starting to make real bets around the crypto-currency
Bitcoin Is A Disruptive Technology (Forbes) A financial network is a technological platform that people build businesses on top of. And the traditional banking and credit card networks are closed platforms. If you want to build an e-commerce site, a payment network like Paypal, or any other service that deals in dollars, you need to convince incumbent financial institutions to do business with you. Getting such a partnership is difficult and involves a lot of red tape
Why Bitcoin is a Bubble: Currency is liquid. Bitcoins aren't. (Daily Beast) My friend Tim Lee says that critics of Bitcoin need to do a better job of explaining why bitcoins--the virtual currency that has been soaring to impressive heights--are in a bubble
'Taming the bubble': investors bet on Bitcoin via derivatives markets (Ars Technica) Professor: "I really have no way of figuring out what a bitcoin is worth"
Fool's Gold: Bitcoin is a Ponzi scheme—the Internet's favorite currency will collapse. (Slate) Bitcoin is a fantasy. The Internet's currency—a secure, private, decentralized type of money that makes possible anonymous and virtually costless transactions across borders—contains the seeds of its own destruction. More than anything else, it resembles a Ponzi scheme—and the wild claims made on its behalf reveal a great deal about a libertarian strain of thinking with deep roots in the American psyche
Marketplace
IRS's big data play built on shaky foundations (IT World) The IRS is scaring taxpayers silly this season with boasts about its Big Data prowess and 'robo audits.' But recent reports suggest the agency is struggling to keep its IT operations afloat
DISA building one-of-a-kind cloud for big data (FierceBigData) Talk about unstructured data--the Defense Information Systems Agency got specific this week about what kind of infrastructure it thinks it needs to store and analyze data types
Shortage of Skilled People Could Hamper Military's Offensive Security Capabilities (Threatpost) The U.S. military has been attempting to build up the offensive cybersecurity capabilities in its various services for several years now, but is running into the same obstacles and challenges that private sector firms in the same space are: a shortage of skilled workers and not enough money to hire the ones who have the skills. Those deficits could portend a reevaluation in the way that the military handles cyber operations and who is involved in them
Congress Skeptical Of Obama's Defense Budget (Washington Times) Lawmakers greeted the White House's $526.6 billion defense budget request with skepticism Thursday, as top Pentagon officials defended proposals previously rejected by Congress, such as base closures and increasing health care enrollment fees
FireEye gathers ANZ momentum (Tech Day) FireEye has begun a rapid expansion in Australia and New Zealand through the appointment of Phil Vasic regional director for the region. One of the global leaders in cyber attack prevention, the company says Vasic joined from Clearswift, where he served as vice president, Asia Pacific and Japan, bringing 15 years of enterprise sales and sales management experience at companies Websense and Hewlett Packard.
New CEO For Secunia (Dark Reading) The board has appointed Niels Henrik Rasmussen. The board and Thomas Zeihlund have agreed a new, international profile is needed for the role of CEO for Secunia, to lead the company onwards
Products, Services, and Solutions
Android MDM Fragmentation: Does It Matter? (Dark Reading) Of all the major mobile operating systems, Android provides the least in terms of mobile security and device management. Google has let its customers down
Study Shows Google Better than Bing at Filtering Malicious Web Sites (Threatpost) A German security company spent 18 months analyzing malware among millions of Web sites ranked by the world's most popular search engines and concluded Google was safer than Bing
Microsemi Achieves NIST Certification on EnforcIT™ Cryptography IP Cores for FPGA and ASIC Designs (Sacramento Bee) Microsemi Corporation (Nasdaq: MSCC), a leading provider of semiconductor solutions differentiated by power, security, reliability and performance, announced it has achieved National Institute of Standards and Technology (NIST) algorithmic certification on its U.S.-developed EnforcIT Cryptography Suite of National Security Agency (NSA) Suite B algorithms
Microsoft looks like being next with two-factor authentication (Naked Security) We've written recently about Apple and Automattic starting to offer two-factor authentication (2FA) for online accounts. Word on the street says that Microsoft will soon be doing the two-step, too
Google Death: Inactive account manager helps you plan digital last will and testament (CSO) Google provided a somewhat morbid reminder of the increasing primacy of digital data in our lives with the release today of the euphemistically named Inactive Account Manager feature. The service allows users to customize what will happen to their account data -- everything from Gmail messages to Drive content to Google+ posts -- if their account goes inactive for whatever reason. Options range from simply deleting everything to carefully arranged disbursement of personal information to selected contacts
Panda Security and Facebook Expand Collaboration to Protect Users (PR Web) Facebook's AV Marketplace will allow users to enjoy Panda Security's malicious URL protection in four new languages We're extremely happy with the results
Technologies, Techniques, and Standards
Security Software Tracks Stolen Laptop from London to Tehran (eSecurity Planet) Dom del Torto now knows where his laptop is -- but he's unlikely to get it back. On February 4, 2013, Dom del Torto of London's Big Animal Design & Animation Studio found that someone had broken into his flat on London's Holloway Road, and had stolen his iPad and his MacBook Pro
Design and Innovation
Virginia is for startups: Governor launches cyber-security accelerator (VentureBeat) If you're a security startup you may want set up shop in Virginia, not Silicon Valley. Virginia Governor Bob McDonnell officially opened the doors to a security-focused startup accelerator today called Mach37. The accelerator is modeled in the same form as Y Combinator, 500 Startups, and Techstars, according to a release by the organization
Research and Development
'Embassies' Could Give Users Sanctuary From Threats (Dark Reading) Taking a cue from virtualized datacenters, Microsoft researchers envision a browser architecture that isolates Web apps from each other to strengthen security
IBM To Invest $1 Billion In Flash Technology Research, Reflecting Obsolescence Of Hard Disk Drives (TechCrunch) IBM plans to invest $1 billion in research to design, create and integrate Flash into its servers, storage systems and middleware, a reflection of the changing requirements needed for companies to manage massive amounts of data. As part of the news, IBM also announced a new line of Flash appliances. These storage appliances are based on technology acquired from Texas Memory Systems
Mind over matter: Researchers turn thoughts into passwords (CSO) Scientists demonstrate ability to differentiate individual brain activity. May be how you access your digital life in the future. In the not-crazy-distant future, instead of using a password to navigate our digital lives, we may be able to think our way into our various online services and ever-growing array of digital whatnots. Researchers at the University of California-Berkeley's School of Information claim to have devised a method to use biosensors to accurately differentiate the brainwaves of specific subjects as they visualized songs, images, or other mental tasks. The brain activity resulting from these tasks appear to be inherent to each individual and may one day supplant traditional (and hackable) password security systems
Academia
NYC students, hackers train for cybersecurity jobs (Philly.com) Students at the Polytechnic Institute of New York University (NYU-Poly), sitting near a poster from an earlier lecture about cyber crime, come together for a Wednesday evening Hack Night in the Information Systems and Internet Security (ISIS) lab at
Cryptographer Ronald Cramer appointed Fellow of IACR (CWI) Ronald Cramer from Centrum Wiskunde & Informatica (CWI) in Amsterdam and Leiden University has been appointed Fellow of IACR. This was announced on 8 April by the International Association for Cryptologic Research, IACR. The selection committee praised the mathematician for his contributions to the development of modern cryptography. He received the title "for fundamental contributions to cryptography, for sustained educational leadership in cryptography, and for service to the IACR". Cramer is the first researcher active in the Netherlands to receive this prestigious award. The ceremony takes place during the 33rd CRYPTO conference in August 2013 in Santa Barbara, Ca., USA
MI5 warns universities on cyber spying (Financial Times) UK security services have warned universities to be more vigilant in protecting themselves against cyber attacks by foreign powers seeking to poach intellectual property at the frontier of science and technology. Vice-chancellors have been briefed by Sir Jonathan Evans, the outgoing head of MI5, while Universities UK, which represents the sector, is preparing to issue institutions guidance about how to ward off the cyber threat
Top Majors to Influence National Growth (The Hill) Since the age of 16, graduating senior Dominique Nash always thought that she wanted to be a pharmacist. Before she transferred to Howard University, she was a Biochemistry Major at the University of Maryland Eastern Shore. Although she wanted to make her mother proud, Nash eventually left pharmacy and went to follow her real passion, Broadcast News
Trend Micro, Deakin University and Macquarie University join forces to protect Australians online (CSO) Trend Micro, a leading provider of cloud security, has joined forces with Deakin University and Macquarie University on a research project designed to analyse the security of the World Wide Web and make the online world safer for Australians. With more than 90 percent of malware delivered over the internet, the joint project aims to develop innovative approaches to effectively identify malicious web domains and sites. Using evidence-based research and big data analytics, the research team will analyse the web threats specifically targeting Australia and look at developing tools and capabilities to enhance the levels of online security. Another goal is to raise public awareness of cyber threats and educate users on how they can best protect themselves
Take a Break for Security (Embry-Riddle Horizons) With spring break behind us and summer break just around the corner, now is a great time to think about what you are doing to secure your data and devices. Are you vigilant about creating unique passwords and not sharing them or writing them down? Do you have passcodes on your mobile devices? Are you cognizant about what you post online and why
California Expands Use Of MOOCs (InformationWeek) California expands edX "blended" classroom experiment, sees increase in course pass rates
Legislation, Policy, and Regulation
CISPA, stripped of privacy protections, heads for House vote (RT) Privacy advocates are up in arms after the House Intelligence committee overwhelmingly approved an updated draft of the Cyber Intelligence Sharing and Protection Act, or CISPA, Wednesday afternoon by a vote of 18-to-2
White House signals it won't support CISPA in present form (CSO) Calls for more privacy, civil liberties protections in reintriduced Cyber Intelligence Sharing and Protection Act. In what's quickly turning out to be a replay of events from last year, the White House today signaled that it would not support the recently reintroduced Cyber Intelligence Sharing and Protection Act (CISPA) in its present form
Critics: CISPA still a government surveillance bill (CSO) A U.S. House of Representatives committee failed to make the changes necessary to allay fears about government surveillance in a controversial cyberthreat sharing bill that's moving toward a House vote, critics said
Former government officials warn against complacency on the cyber front (Washington Free Beacon) Former CIA director James Woolsey noted that a single relatively unsophisticated cyber attack could wreak widespread havoc on U.S. systems that are widely underprepared to handle such an assault. "We have, to put it mildly, a very serious cyber
China, Russia Biggest Cyber Threats to US, Intel Committee is Told (Main Justice) That threat, Clapper suggested, is more troubling even than the prospect of a terrorist group hiring hackers or renting the technological equipment necessary to launch a cyber attack
Senior Cyber Official Targets Black Markets For Zero-Day Vulnerabilities (Inside Defense) A senior Pentagon official has targeted black markets for zero-day cyber vulnerabilities as one of his top priorities over the next year. Eric Rosenbach, the deputy assistant secretary of defense for cyber policy, said that responding to these is "one of the things that I really want to work the hardest on…because I see it as a really big threat"
Obama boosts military, 'black' and spook cyber forces (Register) Obama said that he wanted to increase the military cyber forces led by the US Cyber Command and bump up funding for cyber security information sharing in the Department of Defense (DoD) allocation. "We must confront new dangers, like cyber attacks
Obama makes cyber security a priority (IT Web) The US has moved to increase spending to protect its computer networks from cyber attacks. President Barack Obama proposed on Wednesday increased spending to protect US computer networks from Internet-based attacks, in a sign that the government aims to put more resources into the emerging global cyber arms race
Predictive analytics and data sharing raise civil liberties concerns (O'Reilly Radar) Last winter, around the same time there was a huge row in Congress over the Cyber Intelligence Sharing and Protection Act (CISPA), U.S. Attorney General Holder quietly signed off on expanded rules on government data sharing. The rules allowed the
The EU's common sense privacy approach to big data (FierceBigData) The European Union is being more aggressive than the United States and other countries in getting out in front of the definitions and impacts of big data on privacy, and the rules created around them
Litigation, Investigation, and Law Enforcement
INTERPOL Chief: Fighting Cybercrime Worldwide Requires Law Enforcement And Private Sector To Work More Closely Together (Dark Reading) While law enforcement must be ready to react against cybercrime, preventing it was also a major priority. INTERPOL Secretary General Ronald K. Noble has said that global efforts against cybercrime and to enhance cyber security require law enforcement and private sector Internet security companies to work more closely together, as well as harmonized regulations across countries
IRS going against privacy tide on warrantless email search (CSO) Internal Revenue Service told CSO it does not use emails to target taxpayers, but the agency did not address the use of subpoenas
The IRS Doesn't Think 'Reasonable Expectation of Privacy' Applies to Your Emails (Slate) The IRS Criminal Tax Division doesn't think the Fourth Amendment should apply to email. With Tax Day less than a week away in the United States, you probably don't need another reason to dislike the IRS. But here's one anyway: Newly released documents show that in recent years, the agency has claimed American Internet users "do not have a reasonable expectation of privacy" when it comes to their emails being snooped on